Possible to disable SAE and force WPA2-PSK-AES on wpa_supplicant v2.10?

Theron Spiegl theron at nnter.net
Fri Mar 17 18:40:45 PDT 2023

In some tests, I'd also used `nmcli con modify test_ssid wifi-sec.proto rsn` which prevents WPA from being offered, but I left that detail out of this discussion because it only worked when using wpa_supplicant 2.9. On 2.10, it would prevent all devices from being able to join the hotspot. However, now that I'm using `wifi-sec.pmf disable`, I can specify RSN/WPA2 with that command and all devices can join. I didn't consider this to be a hard requirement previously because specifying `wifi-sec.pairwise ccmp` and `wifi-sec.group ccmp` had prevented TKIP from being used.

On Fri, Mar 17, 2023, at 6:36 PM, Kennedy, Smith Wireless & IPP Standards wrote:
> > On Mar 16, 2023, at 6:15 PM, Theron Spiegl <theron at nnter.net> wrote:
> > 
> > CAUTION: External Email Hi, I'm using a Qualcomm Atheros QCA6174 with wpa_supplicant v2.10. When I start a hotspot with the commands below, it can be joined by most devices (Linux, Windows, iOS) but not an M1 MacBook Pro. I've determined that this is because of SAE/WPA3 support: if I run macOS's `airport` CLI utility, I see that the wpa_supplicant 2.10 hotspot offers `WPA(PSK/AES/AES) RSN(PSK,PSK-SHA256,SAE/AES/AES)` in the Security column. When I use wpa_supplicant 2.9, it offers `WPA(PSK/AES/AES) RSN(PSK,PSK-SHA256/AES/AES)`, and the MacBook can join.
> I don't know if I'm interpreting this correctly but what you are describing seems to indicate that hostapd 2.10 is presenting WPA Personal / WPA2 Personal / WPA3 Personal, which is a configuration that a properly implemented (and perhaps Wi-Fi Alliance certified) STA should or could reject as invalid. Wi-Fi Alliance WPA3 Personal Transition Mode specifically disallows the AP to support WPA Personal in addition to WPA3 Personal (SAE) / WPA2 Personal (PSK).
> *Attachments:*
>  • signature.asc

More information about the Hostap mailing list